6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35

General

Target

6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe
Size

78KB
MD5

3e580028e752c3b3f4e6865e2d78c3b0
SHA1

6f3a8188e4a72b87492a36fee7a6f3cc45fe1bf2
SHA256

6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35
SHA512

0a478533c793f6e47db5463da8bc81782024f6385cf41addb26bb25d8d3926646ab089a160610b38b2b96054e26798b3d23d45135f3d8be1a8b3a5681845693a
SSDEEP

1536:xRy588Vdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6g9/41hUT:xRy588/vqyA11XYUBxprBPjco9/F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	tmpDDC2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe
2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmpDDC2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDDC2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe
Token: SeDebugPrivilege	2632	tmpDDC2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2340	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	31
PID 2888 wrote to memory of 2340	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	31
PID 2888 wrote to memory of 2340	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	31
PID 2888 wrote to memory of 2340	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	31
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2888 wrote to memory of 2632	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	34
PID 2888 wrote to memory of 2632	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	34
PID 2888 wrote to memory of 2632	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	34
PID 2888 wrote to memory of 2632	2888	6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe	34

C:\Users\Admin\AppData\Local\Temp\6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe
"C:\Users\Admin\AppData\Local\Temp\6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rers4a-q.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE8C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- C:\Users\Admin\AppData\Local\Temp\tmpDDC2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDDC2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6b724cedc053ffb6ab66d7fab225eb685c2a86538e27262ef8999cb9bb21dd35N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE8D.tmp

Filesize
1KB

MD5
a1b6e8f5331775e837fd5562e8e1a064

SHA1
5344e7f57d313a1d493f109ddef9c919081d7089

SHA256
5765b3d2de605ad5d739ab2ca0478a619295118337e6f9c97ceb6e8a27a44351

SHA512
f643ace9233869d06f17f55ef1dd861f64f8618408fb5f67dd969266f2042a5b08d60aaecd2a1a955496c9fc801a2545b1ba879097712b34ef284b5e994ec3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rers4a-q.0.vb

Filesize
14KB

MD5
6c022d1b08fb0eb037511a49fccf7b01

SHA1
6099262e147c8e7ffb9feadb4970873b678ba6c3

SHA256
4ec6faa529bd0145940b3e046837ca8124657cd4f86f0b9daa196c1e7be007c8

SHA512
f8e98081760eadb8e8fd901f4a7b87a316ccdb4c6ce9a150101f8dc67c46fe89ae676f2a04e06589bf09d6208162a7a6884935679ce3ac5b4e2843d4adc2dba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rers4a-q.cmdline

Filesize
266B

MD5
0d558b64f77a8b71164d897e79304772

SHA1
6fcdaf3544e0c482f19212937ac66fe12a0c8196

SHA256
54532b22bee86bd215564d3e9f8804d59a9970f3517fb66e19292b5810f7659e

SHA512
d38bd3e44c05eccbd083dae8a94764fad6e64234647b0a5bc7544b7808436acfe435ace9b6682d8e4b515381d810e4cb4ff1312cbb7abb42aafca2551d9c7f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDC2.tmp.exe

Filesize
78KB

MD5
1ffccdf7d93c5bccecd827c18d906919

SHA1
ea4d8dc046118db797ed0997bebe9baf58baa44e

SHA256
faf0d439e139e58dd8e838a40eb879380bc1ed99d57f936a8ad6cbcc961ca7f1

SHA512
f7563e506cf65e722f7feeea27c5ecbba079e3855afa88732013244d8c6343493a152a02f5160dec3edf56c2f096ae49e152a6766028ced483440c801cc91d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE8C.tmp

Filesize
660B

MD5
b21c421970ab847f02924feb2376ca4e

SHA1
ba2f462a0a85767d3fb6bc8d24ffc16f0107c1c8

SHA256
a2836058da8e24745e1616905b1f282abea2de1b49a260909cec8340ef19c0e5

SHA512
343e248e2696cc5b51154f1ba07936ea6f28e973cf6b757f5971603c72b8a572d4007467113de1198e3e3c95e0ddc00dbd675f24f57fd93228caecc1e7a99b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2340-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads